dependency-auditlisted

Audit dependencies for security vulnerabilities, outdated versions, license risks, and bloat. Use when reviewing third-party packages, before a release, or when the user asks about CVEs, updates, or supply-chain risk.
tansuasici/claude-code-kit · ★ 1 · AI & Automation · score 77

Install: claude install-skill tansuasici/claude-code-kit

# Dependency Audit ## Core Rule Flag known CVEs, license drift, and bloat with concrete upgrade paths. Never install or upgrade without explicit user approval. ## When to Use Invoke with `/dependency-audit` when: - Reviewing a project's dependency health before a release - Investigating supply chain security concerns - Planning a dependency update or migration - Assessing technical debt from outdated packages - Onboarding to a project and evaluating its dependency choices ## Default Behavior When the user asks to audit, scan, review, or "give me a report" for dependencies / vulnerabilities, produce the full dependency-audit report automatically using the Process and Output Format sections below. Do not require the user to specify fields. Only modify files when the user explicitly requests implement / fix / apply / refactor. By default, this skill is **report-only**. ## Process ### Phase 1: Inventory (first-pass leads) This pass produces **candidates**, not findings. Treat counts as leads for deeper inspection in later phases. Do not report Phase 1 raw output as the final result. Catalog all dependencies: 1. **Read dependency manifests** — `package.json`, `pyproject.toml`, `go.mod`, `Cargo.toml`, `Gemfile`, `pom.xml`, `build.gradle` 2. **Separate categories** — production vs development dependencies 3. **Count totals** — direct dependencies, estimate transitive depth 4. **Identify lock file presence** — `package-lock.json`, `poetry.lock`, `go.sum`, `Cargo.lock` #